In part 1 of our series into the new features of Splunk Enterprise 6.6, we looked at Splunk Knowledge Object management. In part 2, we will explore new features within the enhanced search editor, such as line-numbering, syntax highlighting and macro expansions.

Enhanced Search Editor – Line Numbering and Syntax Highlighting

The two features I’ll expand in this section on are line-numbering and syntax-highlighting. Not only do they add visual appeal by giving the user a theme choice, but they also allow you to write queries on an enhanced search editor. You can activate these features by going to your user account settings. Under the ‘Search’ options select Dark Theme for ‘Syntax highlighting’ and set ‘Show line numbers’ to On.

After selecting dark-themed highlighting and activating line-numbering, my Splunk search bar now has a black background with line numbering, making it easier to find or edit lines of code.

The line numbering allows you to review commands and adds clarity to functions for the user. This would be an invaluable tool when comparing searches or troubleshooting. For comparison, here is a view of the Splunk 6.5 Search Bar, without the syntax highlighting or line numbering.

Enhanced Search Editor – Macro Expansion

In Splunk 6.5 and earlier versions, to view the complete search commands executed by a macro, you either navigated to Advanced Search > Search Macros or searched for the macro string via job inspector. However, in Splunk 6.6, the enhanced search editor allows you to expand your macros to display the search string in a pop-up. Understanding how your macros work when writing search queries can save time, and has been given a keyboard shortcut to access easily.

In the Splunk 6.6 Search bar, use “CTRL+SHIFT+E” for Windows or “CMD+SHIFT+E” for Macs, to display a pop-up of your macro. This is illustrated in the graphic below.